12 October 2010

Configuring Search Service Application - Accounts


Accounts
There is 2 accounts that is required for search.. one for the search service and other for content access.

SharePoint Server search service account
The SharePoint Server 2010 Search service account is used as the service account for the SharePoint Server 2010 Search service. The SharePoint Server Search Service is an NT Service, which is used by all Search Service Applications. For any given server, there is only one instance of this service.
The SharePoint Server 2010 search service account requires the following permission configuration setting:
  • The search service account must not be a built-in account in order to access the database. Examples of built-in accounts are Local Service and Network Service.  
  • The SharePoint Server 2010 search service account is granted access to the propagation location share (or shares) on all search query servers in a farm.
The following machine-level permission is configured automatically:
  • The SharePoint Server 2010 search service account is a member of WSS_WPG.
The following SQL Server and database permissions are configured automatically:
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database.
  • This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the SharePoint_Admin content database.

E.g.: 'sp_search'
  
 
Default Content Access Account   
The default content access account is used within a specific service application to crawl content, unless a different authentication method is specified by a crawl rule for a URL or URL pattern.

This account requires the following permission configuration settings:
  • The default content access account must be a domain user account and it must have read access to external or secure content sources that you want to crawl by using this account.
  • For SharePoint Server sites that are not part of the server farm, this account must be explicitly granted full read permissions to the Web applications that host the sites.
  • This account must not be a member of the farm administrators group.
  • The search service will access all content using this account.
  • The account will be added to the Full Read policy *, giving it read-only access to all content.
  • For proper search functionality and information security, do not use an administrator account, and do not use accounts that can modify content. 
  • This should be a unique, dedicated only for Search account

     
Full Read Policy


E.g.: 'sp_search_crawl'
Posted by at 12:16 PM 2 comments Links to this post

07 October 2010

programmatically add delete modify item permissions

How to programmatically add delete modify item permissions in SharePoint


Note: SPPrincipal can be either an SPUser or SPGroup Object

Breaking Inheritance

//specifies whether the item has unique security 
//or inherits its role assignments from a parent object.
item.HasUniqueRoleAssignments

//Stops inheriting permissions from parent object
// if true, it will keep all existing users
// false, to remove all users
item.BreakRoleInheritance(true);

//Removes the local role assignments 
//and reverts to role assignments from the parent object.
item.ResetRoleInheritance();


Adding Permissions to an item

//SPGroup group = web.Groups[0];
//SPUser user = web.Users[0];
//SPUser user2 = web.EnsureUser("mangaldas.mano");
//SPUser user3 = web.EnsureUser("Domain Users"); ;
//SPPrincipal[] principals = { group, user, user2, user3 };
public static void SetPermissions(this SPListItem item, IEnumerable principals, SPRoleType roleType)
{
 if (item != null)
 {

  foreach (SPPrincipal principal in principals)
  {
   SPRoleDefinition roleDefinition = item.Web.RoleDefinitions.GetByType(roleType);
   SetPermissions(item, principal, roleDefinition);
  }
 }
}


public static void SetPermissions(this SPListItem item, SPUser user, SPRoleType roleType)
{
 if (item != null)
 {
  SPRoleDefinition roleDefinition = item.Web.RoleDefinitions.GetByType(roleType);
  SetPermissions(item, (SPPrincipal)user, roleDefinition);
 }
}

public static void SetPermissions(this SPListItem item, SPPrincipal principal, SPRoleType roleType)
{
 if (item != null)
 {
  SPRoleDefinition roleDefinition = item.Web.RoleDefinitions.GetByType(roleType);
  SetPermissions(item, principal, roleDefinition);
 }
}

public static void SetPermissions(this SPListItem item, SPUser user, SPRoleDefinition roleDefinition)
{
 if (item != null)
 {
  SetPermissions(item, (SPPrincipal)user, roleDefinition);
 }
}

public static void SetPermissions(this SPListItem item, SPPrincipal principal, SPRoleDefinition roleDefinition)
{
 if (item != null)
 {
  SPRoleAssignment roleAssignment = new SPRoleAssignment(principal);

  roleAssignment.RoleDefinitionBindings.Add(roleDefinition);
  item.RoleAssignments.Add(roleAssignment);
 }
}

Deleting all user Permissions from an item

public static void RemovePermissions(this SPListItem item, SPUser user)
{
 if (item != null)
 {
  RemovePermissions(item, user as SPPrincipal);
 }
}

public static void RemovePermissions(this SPListItem item, SPPrincipal principal)
{
 if (item != null)
 {
  item.RoleAssignments.Remove(principal);
  item.SystemUpdate();
 }
}

Removing specific roles from an item

public static void RemovePermissionsSpecificRole(this SPListItem item, SPPrincipal principal, SPRoleDefinition roleDefinition)
{
 if (item != null)
 {
  SPRoleAssignment roleAssignment = item.RoleAssignments.GetAssignmentByPrincipal(principal);
  if (roleAssignment != null)
  {
   if (roleAssignment.RoleDefinitionBindings.Contains(roleDefinition))
   {
    roleAssignment.RoleDefinitionBindings.Remove(roleDefinition);
    roleAssignment.Update();
   }
  }
 }
}

public static void RemovePermissionsSpecificRole(this SPListItem item, SPPrincipal principal, SPRoleType roleType)
{
 if (item != null)
 {
  SPRoleDefinition roleDefinition = item.Web.RoleDefinitions.GetByType(roleType);
  RemovePermissionsSpecificRole(item, principal, roleDefinition);
 }
}

Updating or Modifying Permissions on an item

public static void ChangePermissions(this SPListItem item, SPPrincipal principal, SPRoleType roleType)
{
 if (item != null)
 {
  SPRoleDefinition roleDefinition = item.Web.RoleDefinitions.GetByType(roleType);
  ChangePermissions(item, principal, roleDefinition);
 }
}

public static void ChangePermissions(this SPListItem item, SPPrincipal principal, SPRoleDefinition roleDefinition)
{
 SPRoleAssignment roleAssignment = item.RoleAssignments.GetAssignmentByPrincipal(principal);
 if (roleAssignment != null)
 {
  roleAssignment.RoleDefinitionBindings.RemoveAll();
  roleAssignment.RoleDefinitionBindings.Add(roleDefinition);
  roleAssignment.Update();
 }
}
Posted by at 5:18 PM 11 comments Links to this post
Subscribe to: Posts (Atom)